Close the Removable Device Security Hole
Many claim that there is no longer a network perimeter. Historically, the Internet access gateway was seen as the perimeter of the network and if you hardened that perimeter well enough, you would be safe from unauthorized access to your network. Most network security administrators realize that this is no longer the case, and that Internet edge protection is just one of many different perimeters that need to be monitored and managed.
One perimeter that doesn't get the attention it deserves is the hardware perimeter. Back in the day, the hardware perimeter was the floppy disk. A person could put a compromised floppy disk into a computer and inject it with a virus, worm or Trojan. They could also copy information from the computer or from the network to the floppy disk.
However, the risk of major data loss or compromise through the floppy disk was limited because the disk didn't have much carrying capacity. Floppy disks are all but gone these days and they have been replaced by USB keys and USB removable drives. USB keys keep getting bigger and it's not unusual to see people walking around with 4 GB+ USB keys on their keychains. USB drives are in the terabyte range now. If an unauthorized person is able to connect one of these keys or drives to your computer, they could download entire corporate databases and file servers.
USB keys and USB drives are also able to carry viruses, Trojans and worms. Also, because of their high capacity, they can carry large databases, such as rainbow tables, that can be used to compromise passwords on the network. These USB devices, because of their carrying capacity, therefore increase by many orders of magnitudes the risk that removable devices present to your network at the hardware perimeter.
Windows Server 2008 Group Policy can help you solve this problem. There is a setting in the:
Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions
section of Group Policy that allows you to prevent installation of removable devices.
The description of this setting from the policy goes like this:
Prevent installation of removable devices
Prevents removable devices from being installed.
If you enable this setting, removable devices may not be installed, and existing removable devices cannot have their drivers updated.
If you disable or do not configure this setting, removable devices can be installed and existing removable devices can be updated as permitted by other policy settings for device installation.
NOTE: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device.
For this policy, a device is considered to be removable when the drivers for the device to which it is connected indicate that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected.
If this computer is a Terminal Server, then enabling this policy also affects redirection of the specified devices from a Terminal Services Client to this computer.
I highly recommend that you consider upgrading to Windows Server 2008 for this and other Group Policy enhancements. Don't let the USB hole be your undoing. Is the second most important hole you need to close on your network, with the SSL security hole being the most dangerous at this time. You can close the SSL security hole using an ISA Firewall together with Collective Software's (www.collectivesoftware.com) ClearTunnel.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)